Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Hi Lukas,
sorry to say, but nothing helps.

I have just updated IPA server, so that now it is:
[root@svlxxipap ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

with:
[root@svlxxipap ~]# rpm -qa|grep ipa
ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64
libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
sssd-ipa-1.13.0-40.el7_2.9.x86_64
ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64
python-libipa_hbac-1.13.0-40.el7_2.9.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64

I have also changed sudoers to sudo in sssd.conf as you suggested and
restarted sssd.
No difference, still:
[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for simecek.to...@sd-stc.cz:
simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will be
reported.

I guess I will pilot some more IPA clients to make sure it works reliably
and if yes, I guess we will be able to live with the fact that older
Linuxes doe not offer sudo to AD clients.

Or do you think there is something more to try?

Thanks

T.

2016-07-14 13:32 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:

> On (14/07/16 13:06), Tomas Simecek wrote:
> >Hi Lukas,
> >I did as you said.
> >Logs are attached to this mail.
> >
> Thank you very much for provided data.
>
> The main problem is that full refresh of sudo rules did not store any
> rules.
>
> It might be caused by following errors which might be caused by issues
> with old buggy IPA server on CentOS 7.0
>
> [ipa_s2n_save_objects] (0x2000): Updating memberships for
> borek.pa...@sd-stc.cz
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> [sysdb_update_members_ex] (0x0020): Could not add member [
> borek.pa...@sd-stc.cz] to group [name=acco...@sd-stc.cz,cn=groups,cn=
> sd-stc.cz,cn=sysdb]. Skipping.
> [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> object](32)[ldb_wait: No such object (32)]
> [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> [sysdb_update_members_ex] (0x0020): Could not add member [
> borek.pa...@sd-stc.cz] to group [name=borek.pa...@sd-stc.cz,cn=groups,cn=
> sd-stc.cz,cn=sysdb]. Skipping.
>
> Attached is a reduced log.
>
> You might try new feature in sssd-1.13 on el6 which will
> avoid using compat tree for sudo.
>
> Try to change ldap_sudo_search_base from
> ou=sudoers,dc=linuxdomain,dc=cz -> cn=sudo,dc=linuxdomain,dc=cz
>
> It does not mean that it will solve issue with extop plugin
> on IPA server (ipa_s2n_save_objects)
>
> If it does not help then please provide the same data as in previous mail.
> BTW I strogly suspect issues on IPA server on CentOS 7.0.
> It might work on CentOS 7.0 client only by chance.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Thanks Lukas,
to be honest I am not sure what do you mean by "Please test with id
simecek.to...@sd-stc.cz."
It is the user I am testing with all the time.

Here is what I see on client where sudo does not work:
[simecek.to...@sd-stc.cz@zp-cml-test ~]$ id
uid=988604700(simecek.to...@sd-stc.cz) gid=988604700(simecek.to...@sd-stc.cz)
groups=988604700(simecek.to...@sd-stc.cz),43124(grpunixadmins),988600513(domain
us...@sd-stc.cz),988604182(acco...@sd-stc.cz),988604754(mfcr_...@sd-stc.cz
),988604825(unixadm...@sd-stc.cz),988604833(wifiadm...@sd-stc.cz)

You can see Centos 6.6 client knows about all the groups assigned to the
users, incl. AD groups (unixadmins), which seems funny to me.

You are right, IPA server is Centos 7.0 and functional client is Centos 7.0
as well. Both login and sudo work on client with Centos 7.0.
Rules on IPA server are set to work on both clients, but work only on 7.0.
If I run update on server, it would update ipa-server from v.
4.2.0-15.0.1.el7.centos.6.1 to v. 4.2.0-15.0.1.el7.centos.17.

Does it make sense now?

Thanks

T.


2016-07-14 12:21 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:

> On (14/07/16 11:26), Tomas Simecek wrote:
> >Hi Lukas,
> >we have Active Directory group "UnixAdmins"
> >.
> >We have IPA external group ad_admins_external
> ><https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has
> >Windows "UnixAdmins" group as a member.
> >We have local IPA group grpunixadmins
> ><https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has
> >ad_admins_external group as a member.
> >So from that perspective user simecek.to...@sd-stc.cz is a member of
> >grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>.
> >That setup works for ssh logins and for sudo on Centos 7.0.
> >
> If user is member of group in IPA it does not mean that
> it's properly propagated to client :-)
>
> I can see few errors in log
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> >object](32)[ldb_wait: No such object (32)]
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_update_members_ex] (0x0020): Could not add member [
> >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz
> >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[ipa_s2n_save_objects] (0x2000): Updating memberships for
> >simecek.to...@sd-stc.cz
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
> >object](32)[ldb_wait: No such object (32)]
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory)
> >(Thu Jul 14 09:53:57 2016) [sssd[be[linuxdomain.cz]]]
> >[sysdb_update_members_ex] (0x0020): Could not add member [
> >simecek.to...@sd-stc.cz] to group [name=simecek.to...@sd-stc.cz
> >,cn=groups,cn=sd-stc.cz,cn=sysdb]. Skipping.
>
> Please test with id simecek.to...@sd-stc.cz.
> I'm preatty sure that you will not see a group grpunixadmins.
>
> BTW according to domain logs it looks like a bug with extop plugin
> on freeipa server. I assume that ipa server is on CentOS 7.0
> because you mention it works on Centos 7.0.
>
> I would strongly recommend to upgrade server to 7.2
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Hi Rob,
thanks, but this is not the case.
Firstly, for initial test purposes I am not limiting sudo to specific
commands, in the rule it is set to "any".
Secondly, it fails even in non-symlink cases:

[root@zp-cml-test ~]# which service
/sbin/service
[root@zp-cml-test ~]# ll /sbin/service
-rwxr-xr-x. 1 root root 1694 Oct 16  2014 /sbin/service
[root@zp-cml-test ~]# logout
[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo service sshd restart
[sudo] password for simecek.to...@sd-stc.cz:
simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will be
reported.

Thanks anyway, let me know if something else comes to your mind.

Tomas

2016-07-14 11:51 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:

> hi,
>
> just a long shot here..
>
> I've been battling sudo for a couple days now and found that my issue was
> one related to symlinks
> on centos7 'which cat' says /bin/cat
> but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when
> it sees one and to prevent abuse it requires the 'real' path for the sudo
> rule :  ALL=(ALL) /usr/bin/cat
> on centos6 which cat also says /bin/cat but since /bin is not a symlink it
> requires the sudo rule to be  ALL=(ALL) /bin/cat
> so for the sudo to work on both centos6 and centos7 you would require 2
> sudo rules.
>
> Ignore me if this is irrelevant.
>
> Just my 2 cents
> Rob
>
> 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:
>
>> On (14/07/16 10:09), Tomas Simecek wrote:
>> >Thanks all of you guys,
>> >I have updated to:
>> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
>> >sssd-1.13.3-22.el6_8.4.x86_64
>> >sssd-ldap-1.13.3-22.el6_8.4.x86_64
>> >sssd-client-1.13.3-22.el6_8.4.x86_64
>> >sssd-ad-1.13.3-22.el6_8.4.x86_64
>> >sssd-proxy-1.13.3-22.el6_8.4.x86_64
>> >libsss_idmap-1.13.3-22.el6_8.4.x86_64
>> >sssd-common-1.13.3-22.el6_8.4.x86_64
>> >sssd-ipa-1.13.3-22.el6_8.4.x86_64
>> >python-sssdconfig-1.13.3-22.el6_8.4.noarch
>> >sssd-krb5-1.13.3-22.el6_8.4.x86_64
>> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64
>> >(there does not seem to be libsss_sudo in Centos as suggested by Danila).
>> >and restarted sssd.
>> >
>> >There are two rules enabled. One HBAC as I presented earlier:
>> >  Rule name: Unixari na test servery
>> >  Enabled: TRUE
>> >  User Groups: grpunixadmins
>> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>> >  Services: login, sshd, sudo, sudo-i, su, su-l
>> >
>> >and one sudo rule:
>> >Rule name: Pokusne
>> >  Enabled: TRUE
>> >  Command category: all
>> >  User Groups: grpunixadmins
>> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
>> >
>> >Default "all-access" rules are disabled.
>> >
>> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
>> >still get:
>> >
>> >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
>> >[sudo] password for simecek.to...@sd-stc.cz:
>> >simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will
>> be
>> >reported.
>> >
>> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
>> >
>> >sssd.conf:
>> >[domain/linuxdomain.cz]
>> >cache_credentials = True
>> >krb5_store_password_if_offline = True
>> >ipa_domain = linuxdomain.cz
>> >id_provider = ipa
>> >krb5_realm = LINUXDOMAIN.CZ
>> >auth_provider = ipa
>> >access_provider = ipa
>> >ipa_hostname = zp-cml-test.linuxdomain.cz
>> >chpass_provider = ipa
>> >ipa_server = svlxxipap.linuxdomain.cz
>> >ldap_tls_cacert = /etc/ipa/ca.crt
>> >override_shell = /bin/bash
>> >sudo_provider = ipa
>> >ldap_uri = ldap://svlxxipap.linuxdomain.cz
>> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
>> >ldap_sasl_mech = GSSAPI
>> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
>> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
>> >ldap_sasl_realm = LINUXDOMAIN.CZ
>> >krb5_server = svlxxipap.linuxdomain.cz
>> >debug_level = 0x3ff0
>> >[sssd]
>> >services = nss, sudo, pam, ssh
>> >config_file_version = 2
>> >domains = linuxdomain.cz
>> >[nss]
>> >homedir_substring = /home
>> >[pam]
>> >[sudo]
>> >debug_level = 0x3ff0
>> >[autofs]
>> >[ssh]
>> >[pac]
>> >[ifp]
>> >
>> >
>> >sssd_sudo.log from the moment I trie

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Hi Lukas,
we have Active Directory group "UnixAdmins"
.
We have IPA external group ad_admins_external
<https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>, which has
Windows "UnixAdmins" group as a member.
We have local IPA group grpunixadmins
<https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>, which has
ad_admins_external group as a member.
So from that perspective user simecek.to...@sd-stc.cz is a member of
grpunixadmins <https://svlxxipap.linuxdomain.cz/ipa/ui/#grpunixadmins>.
That setup works for ssh logins and for sudo on Centos 7.0.

It is as per installation document
https://www.freeipa.org/page/Active_Directory_trust_setup

Correct me if I am wrong, but if it works on Client 1, it should also work
on Client 2.
<https://svlxxipap.linuxdomain.cz/ipa/ui/#ad_admins_external>

T.

2016-07-14 10:38 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:

> On (14/07/16 10:09), Tomas Simecek wrote:
> >Thanks all of you guys,
> >I have updated to:
> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
> >sssd-1.13.3-22.el6_8.4.x86_64
> >sssd-ldap-1.13.3-22.el6_8.4.x86_64
> >sssd-client-1.13.3-22.el6_8.4.x86_64
> >sssd-ad-1.13.3-22.el6_8.4.x86_64
> >sssd-proxy-1.13.3-22.el6_8.4.x86_64
> >libsss_idmap-1.13.3-22.el6_8.4.x86_64
> >sssd-common-1.13.3-22.el6_8.4.x86_64
> >sssd-ipa-1.13.3-22.el6_8.4.x86_64
> >python-sssdconfig-1.13.3-22.el6_8.4.noarch
> >sssd-krb5-1.13.3-22.el6_8.4.x86_64
> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64
> >(there does not seem to be libsss_sudo in Centos as suggested by Danila).
> >and restarted sssd.
> >
> >There are two rules enabled. One HBAC as I presented earlier:
> >  Rule name: Unixari na test servery
> >  Enabled: TRUE
> >  User Groups: grpunixadmins
> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >  Services: login, sshd, sudo, sudo-i, su, su-l
> >
> >and one sudo rule:
> >Rule name: Pokusne
> >  Enabled: TRUE
> >  Command category: all
> >  User Groups: grpunixadmins
> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >
> >Default "all-access" rules are disabled.
> >
> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
> >still get:
> >
> >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> >[sudo] password for simecek.to...@sd-stc.cz:
> >simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will
> be
> >reported.
> >
> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
> >
> >sssd.conf:
> >[domain/linuxdomain.cz]
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = linuxdomain.cz
> >id_provider = ipa
> >krb5_realm = LINUXDOMAIN.CZ
> >auth_provider = ipa
> >access_provider = ipa
> >ipa_hostname = zp-cml-test.linuxdomain.cz
> >chpass_provider = ipa
> >ipa_server = svlxxipap.linuxdomain.cz
> >ldap_tls_cacert = /etc/ipa/ca.crt
> >override_shell = /bin/bash
> >sudo_provider = ipa
> >ldap_uri = ldap://svlxxipap.linuxdomain.cz
> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> >ldap_sasl_mech = GSSAPI
> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> >ldap_sasl_realm = LINUXDOMAIN.CZ
> >krb5_server = svlxxipap.linuxdomain.cz
> >debug_level = 0x3ff0
> >[sssd]
> >services = nss, sudo, pam, ssh
> >config_file_version = 2
> >domains = linuxdomain.cz
> >[nss]
> >homedir_substring = /home
> >[pam]
> >[sudo]
> >debug_level = 0x3ff0
> >[autofs]
> >[ssh]
> >[pac]
> >[ifp]
> >
> >
> >sssd_sudo.log from the moment I tried sudo:
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
> >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz
> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=%
> >acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> >to get sudo rules from cache
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 0

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Thanks,
I will try. But I am afraid to update to more recent version then those in
official repos.

Thanks anyway.

T.

2016-07-13 15:39 GMT+02:00 <ladner.dan...@gmail.com>:

> Update to at least 1.12 sssd and libsss_sudo. As I recall sudo ipa
> provider did not work under 1.11
>
> Sent from my iPhone
>
> On Jul 13, 2016, at 9:02 AM, Tomas Simecek <simecek.to...@gmail.com>
> wrote:
>
> Hi,
> versions are:
> sssd-client-1.11.6-30.el6.x86_64
> sssd-ipa-1.11.6-30.el6.x86_64
> ipa-client-3.0.0-50.el6.centos.1.x86_64
> as part of:
> CentOS release 6.6 (Final)
>
> T.
>
> 2016-07-13 14:52 GMT+02:00 <ladner.dan...@gmail.com>:
>
>> Again what is client version on 6.5?
>>
>>
>> Sent from my iPhone
>>
>> On Jul 13, 2016, at 8:25 AM, Tomas Simecek <simecek.to...@gmail.com>
>> wrote:
>>
>> Thanks for your information Lukas,
>> I have changed sudo_provider to ipa, restarted sssd and no difference.
>> Logfile still says "Access granted by HBAC rule..." and sudo says
>> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
>>
>> Btw. man sssd-sudo says:
>> The following example shows how to configure SSSD to download
>> sudo rules from an LDAP server.
>>
>>[sssd]
>>config_file_version = 2
>>services = nss, pam, sudo
>>domains = EXAMPLE
>>
>>[domain/EXAMPLE]
>>    id_provider = ldap
>>
>> so I am not that sure what should be set on my version of sssd.
>>
>> Any idea?
>>
>> Thanks
>>
>> T.
>>
>> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:
>>
>>> On (13/07/16 13:36), Tomas Simecek wrote:
>>> >Lukas,
>>> >yes, I went through that guide and I configured sssd.conf as per the doc
>>> >(you can see it in the beginning of the thread).
>>> >
>>> >Actually the installation is:
>>> >[root@zp-cml-test sssd]# cat /etc/redhat-release
>>> >CentOS release 6.6 (Final)
>>> >
>>> >and versions are:
>>> >[root@zp-cml-test sssd]# rpm -qa |grep sssd
>>> >sssd-proxy-1.11.6-30.el6.x86_64
>>> >sssd-common-pac-1.11.6-30.el6.x86_64
>>> >sssd-ipa-1.11.6-30.el6.x86_64
>>> >sssd-1.11.6-30.el6.x86_64
>>> >sssd-common-1.11.6-30.el6.x86_64
>>> >sssd-ad-1.11.6-30.el6.x86_64
>>> >sssd-ldap-1.11.6-30.el6.x86_64
>>> >python-sssdconfig-1.11.6-30.el6.noarch
>>> >sssd-krb5-common-1.11.6-30.el6.x86_64
>>> >sssd-krb5-1.11.6-30.el6.x86_64
>>> >sssd-client-1.11.6-30.el6.x86_64
>>> >
>>> 1.11 has sudo_provider=ipa
>>>
>>> @see instructions in man sssd-sudo how to configure it.
>>> It should avoid issues with two different providers (ipa and ldap)
>>>
>>> >
>>> >There are some reasons why not to upgrade to later versions, believe
>>> me, I
>>> >would do it if I could :-)
>>> >
>>> You can at least try to upgrade sssd from 6.8 if you do not want
>>> to upgrade whole OS.
>>>
>>> LS
>>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Hi,
versions are:
sssd-client-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
ipa-client-3.0.0-50.el6.centos.1.x86_64
as part of:
CentOS release 6.6 (Final)

T.

2016-07-13 14:52 GMT+02:00 <ladner.dan...@gmail.com>:

> Again what is client version on 6.5?
>
>
> Sent from my iPhone
>
> On Jul 13, 2016, at 8:25 AM, Tomas Simecek <simecek.to...@gmail.com>
> wrote:
>
> Thanks for your information Lukas,
> I have changed sudo_provider to ipa, restarted sssd and no difference.
> Logfile still says "Access granted by HBAC rule..." and sudo says
> simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.
>
> Btw. man sssd-sudo says:
> The following example shows how to configure SSSD to download
> sudo rules from an LDAP server.
>
>[sssd]
>config_file_version = 2
>services = nss, pam, sudo
>domains = EXAMPLE
>
>[domain/EXAMPLE]
>id_provider = ldap
>
> so I am not that sure what should be set on my version of sssd.
>
> Any idea?
>
> Thanks
>
> T.
>
> 2016-07-13 13:44 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:
>
>> On (13/07/16 13:36), Tomas Simecek wrote:
>> >Lukas,
>> >yes, I went through that guide and I configured sssd.conf as per the doc
>> >(you can see it in the beginning of the thread).
>> >
>> >Actually the installation is:
>> >[root@zp-cml-test sssd]# cat /etc/redhat-release
>> >CentOS release 6.6 (Final)
>> >
>> >and versions are:
>> >[root@zp-cml-test sssd]# rpm -qa |grep sssd
>> >sssd-proxy-1.11.6-30.el6.x86_64
>> >sssd-common-pac-1.11.6-30.el6.x86_64
>> >sssd-ipa-1.11.6-30.el6.x86_64
>> >sssd-1.11.6-30.el6.x86_64
>> >sssd-common-1.11.6-30.el6.x86_64
>> >sssd-ad-1.11.6-30.el6.x86_64
>> >sssd-ldap-1.11.6-30.el6.x86_64
>> >python-sssdconfig-1.11.6-30.el6.noarch
>> >sssd-krb5-common-1.11.6-30.el6.x86_64
>> >sssd-krb5-1.11.6-30.el6.x86_64
>> >sssd-client-1.11.6-30.el6.x86_64
>> >
>> 1.11 has sudo_provider=ipa
>>
>> @see instructions in man sssd-sudo how to configure it.
>> It should avoid issues with two different providers (ipa and ldap)
>>
>> >
>> >There are some reasons why not to upgrade to later versions, believe me,
>> I
>> >would do it if I could :-)
>> >
>> You can at least try to upgrade sssd from 6.8 if you do not want
>> to upgrade whole OS.
>>
>> LS
>>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Thanks for your information Lukas,
I have changed sudo_provider to ipa, restarted sssd and no difference.
Logfile still says "Access granted by HBAC rule..." and sudo says
simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.

Btw. man sssd-sudo says:
The following example shows how to configure SSSD to download
sudo rules from an LDAP server.

   [sssd]
   config_file_version = 2
   services = nss, pam, sudo
   domains = EXAMPLE

   [domain/EXAMPLE]
   id_provider = ldap

so I am not that sure what should be set on my version of sssd.

Any idea?

Thanks

T.

2016-07-13 13:44 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:

> On (13/07/16 13:36), Tomas Simecek wrote:
> >Lukas,
> >yes, I went through that guide and I configured sssd.conf as per the doc
> >(you can see it in the beginning of the thread).
> >
> >Actually the installation is:
> >[root@zp-cml-test sssd]# cat /etc/redhat-release
> >CentOS release 6.6 (Final)
> >
> >and versions are:
> >[root@zp-cml-test sssd]# rpm -qa |grep sssd
> >sssd-proxy-1.11.6-30.el6.x86_64
> >sssd-common-pac-1.11.6-30.el6.x86_64
> >sssd-ipa-1.11.6-30.el6.x86_64
> >sssd-1.11.6-30.el6.x86_64
> >sssd-common-1.11.6-30.el6.x86_64
> >sssd-ad-1.11.6-30.el6.x86_64
> >sssd-ldap-1.11.6-30.el6.x86_64
> >python-sssdconfig-1.11.6-30.el6.noarch
> >sssd-krb5-common-1.11.6-30.el6.x86_64
> >sssd-krb5-1.11.6-30.el6.x86_64
> >sssd-client-1.11.6-30.el6.x86_64
> >
> 1.11 has sudo_provider=ipa
>
> @see instructions in man sssd-sudo how to configure it.
> It should avoid issues with two different providers (ipa and ldap)
>
> >
> >There are some reasons why not to upgrade to later versions, believe me, I
> >would do it if I could :-)
> >
> You can at least try to upgrade sssd from 6.8 if you do not want
> to upgrade whole OS.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Lukas,
yes, I went through that guide and I configured sssd.conf as per the doc
(you can see it in the beginning of the thread).

Actually the installation is:
[root@zp-cml-test sssd]# cat /etc/redhat-release
CentOS release 6.6 (Final)

and versions are:
[root@zp-cml-test sssd]# rpm -qa |grep sssd
sssd-proxy-1.11.6-30.el6.x86_64
sssd-common-pac-1.11.6-30.el6.x86_64
sssd-ipa-1.11.6-30.el6.x86_64
sssd-1.11.6-30.el6.x86_64
sssd-common-1.11.6-30.el6.x86_64
sssd-ad-1.11.6-30.el6.x86_64
sssd-ldap-1.11.6-30.el6.x86_64
python-sssdconfig-1.11.6-30.el6.noarch
sssd-krb5-common-1.11.6-30.el6.x86_64
sssd-krb5-1.11.6-30.el6.x86_64
sssd-client-1.11.6-30.el6.x86_64


There are some reasons why not to upgrade to later versions, believe me, I
would do it if I could :-)

T.


2016-07-13 13:27 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:

> On (13/07/16 11:18), Tomas Simecek wrote:
> >Dear freeIPA gurus,
> >in previous thread (
> >https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html)
> you
> >helped me make sudo working for AD users on Centos 7.0 (
> >spcss-2t-www.linuxdomain.cz).
> >It was caused by not knowing sudo needs to be enabled in HBAC rules.
> >Now it works properly on Centos 7.0 client.
> >But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
> >same sssd.conf setup.
> >Error message is always:
> >
> A) I would not recommend to use such obsolete distribution as CentOS 6.5
>There is quite old version of sssd (1.9.x) which has some bugs which
>are solved in later versions. Better would be use the latest CentOS 6.8
>or at least CentOS 6.7
>
> B) Have you tried to follow instructions
>https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO
>
> Please provide any comments how we can improve troubleshooting wiki.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[0x1f0d0b0],
ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[sdap_get_generic_ext_done] (0x2000): Total count [0]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[ipa_selinux_get_maps_done] (0x0400): No SELinux user maps found!
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success)
[Success]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: sh[0x1f0e150], connected[1], ops[(nil)], ldap[0x1f03170]
(Wed Jul 13 12:05:21 2016) [sssd[be[linuxdomain.cz]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!

Tomas Simecek

2016-07-13 11:50 GMT+02:00 Jakub Hrozek <jhro...@redhat.com&

[Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Tomas Simecek]

Dear freeIPA gurus,
in previous thread (
https://www.redhat.com/archives/freeipa-users/2016-July/msg00046.html) you
helped me make sudo working for AD users on Centos 7.0 (
spcss-2t-www.linuxdomain.cz).
It was caused by not knowing sudo needs to be enabled in HBAC rules.
Now it works properly on Centos 7.0 client.
But it does not work on Centos 6.5 (zp-cml-test.linuxdomain.cz) with the
same sssd.conf setup.
Error message is always:

[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
[sudo] password for simecek.to...@sd-stc.cz:
simecek.to...@sd-stc.cz is not allowed to run sudo on zp-cml-test.  This
incident will be reported.

Here are my HBAC rules, the second one should apply. It definitely applies
for Centos 7.0 server:
[root@svlxxipap ~]# ipa hbacrule-find

2 HBAC rules matched

  Rule name: allow_all
  User category: all
  Host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: FALSE

  Rule name: Unixari na test servery
  Enabled: TRUE
  User Groups: grpunixadmins
  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
  Services: login, sshd, sudo, sudo-i, su, su-l

Number of entries returned 2


This is my /etc/sssd/sssd.conf. It the same like on Centos 7.0 server, just
with proper server name of course:

[root@zp-cml-test sssd]# cat /etc/sssd/sssd.conf
[domain/linuxdomain.cz]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
id_provider = ipa
krb5_realm = LINUXDOMAIN.CZ
auth_provider = ipa
access_provider = ipa
ipa_hostname = zp-cml-test.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
debug_level = 0x3ff0
domains = linuxdomain.cz
[nss]
homedir_substring = /home

[pam]
[sudo]
debug_level = 0x3ff0
[autofs]
[ssh]
[pac]
[ifp]

This is output from sssd_sudo.log:
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [simecek.tomas] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [simecek.to...@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [simecek.to...@sd-stc.cz] from [sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
(0x0400): No such entry
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain
us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz)(sudoUser=%
mfcr_...@sd-stc.cz)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%w...@sd-stc.cz
)(sudoUser=%grpunixadmins)(sudoUser=+*))(&(dataExpireTimestamp<=1468393118)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About
to get sudo rules from cache
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [@sd-stc.cz]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sudosrv_cmd] (0x2000): Using
protocol version [1]
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', user is simecek.tomas
(Wed Jul 13 08:58:38 2016) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'simecek.to...@sd-stc.cz' matched expression for domain '
sd-stc.cz', 

Re: [Freeipa-users] Freeipa and sudo

[Tomas Simecek]

x2000): Setting up signal handler up for pid [32186]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_handler_setup]
(0x2000): Signal handler set up for pid [32186]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0100): Marking port 0 of server 'svlxxipap.linuxdomain.cz' as 'working'
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[set_server_common_status] (0x0100): Marking server '
svlxxipap.linuxdomain.cz' as 'working'
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [fo_set_port_status]
(0x0400): Marking port 0 of duplicate server 'svlxxipap.linuxdomain.cz' as
'working'
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_store_creds] (0x0010): unsupported PAM command [249].
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_store_creds] (0x0010): password not available, offline auth may
not work.
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [check_wait_queue]
(0x1000): Wait queue for user [simecek.to...@sd-stc.cz] is empty.
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x7f2389359480]
done.
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, )
[Success (Success)]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sending result [0][sd-stc.cz]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]]
[be_pam_handler_callback] (0x0100): Sent result [0][sd-stc.cz]
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x1000): Waiting for child [32186].
(Wed Jul  6 15:19:54 2016) [sssd[be[linuxdomain.cz]]] [child_sig_handler]
(0x0100): child [32186] finished successfully.


I'll appreciate any other hints if you have some.

Thanks,
Tomas Simecek


2016-07-05 15:58 GMT+02:00 Danila Ladner <ladner.dan...@gmail.com>:

> What about /etc/nsswitch.conf?
> Does it have "sudo: files sss"?
>
> On Mon, Jul 4, 2016 at 3:50 AM, Tomas Simecek <simecek.to...@gmail.com>
> wrote:
>
>> Dear freeipa users/admins,
>> I'm trying to implement freeipa in our company, so that our Unix admins
>> can authenticate on Linux servers using their Windows AD account.
>> Following this guide
>> https://www.freeipa.org/page/Active_Directory_trust_setup it seems to
>> work well, they can login without problems.
>> What I cannot make working is sudo from their AD accounts on Linux.
>>
>> No matter what I try, it is still:
>>
>> sudo systemctl restart httpd
>> [sudo] password for simecek.to...@sd-stc.cz:
>> Sorry, try again.
>>
>> Here's our setup:
>> Freeipa server: CentOS Linux release 7.2.1511 (Core),
>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>> Freeipa client: the same
>>
>> AD domain name: sd-stc.cz
>> IPA domain: linuxdomain.cz
>>
>> When digging in logs and googling, I realized that the problem on client
>> side could be:
>>
>> [root@spcss-2t-www ~]# kinit -k
>> kinit: Cannot determine realm for host (principal host/spcss-2t-www@)
>>
>> But this seems to work:
>> [root@spcss-2t-www ~]# kinit simecek.to...@sd-stc.cz
>> Password for simecek.to...@sd-stc.cz:
>> [root@spcss-2t-www ~]# klist
>> Default principal: simecek.to...@sd-stc.cz
>>
>> Valid starting   Expires  Service principal
>> 07/04/2016 09:36:26  07/04/2016 19:36:26  krbtgt/sd-stc...@sd-stc.cz
>> renew until 07/05/2016 09:36:23
>>
>> My /etc/sssd/sssd.conf:
>> [domain/linuxdomain.cz]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = linuxdomain.cz
>> krb5_realm = LINUXDOMAIN.CZ
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = spcss-2t-www.linuxdomain.cz
>> chpass_provider = ipa
>> ipa_server = svlxxipap.linuxdomain.cz
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> override_shell = /bin/bash
>> sudo_provider = ldap
>> ldap_uri = ldap://svlxxipap.linuxdomain.cz
>> ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = host/spcss-2t-www.linuxdomain...@linuxdomain.cz
>> ldap_sasl_realm = LINUXDOMAIN.CZ
>> krb5_server = svlxxipap.linuxdomain.cz
>>
>> [sssd]
>> services = nss, sudo, pam, ssh
>> config_file_version = 2
>>
>> domains = linuxdomain.cz
>> [nss]
>> homedir_substring = /home
>> 
>>

[Freeipa-users] Freeipa and sudo

[Tomas Simecek]

Dear freeipa users/admins,
I'm trying to implement freeipa in our company, so that our Unix admins can
authenticate on Linux servers using their Windows AD account.
Following this guide
https://www.freeipa.org/page/Active_Directory_trust_setup it seems to work
well, they can login without problems.
What I cannot make working is sudo from their AD accounts on Linux.

No matter what I try, it is still:

sudo systemctl restart httpd
[sudo] password for simecek.to...@sd-stc.cz:
Sorry, try again.

Here's our setup:
Freeipa server: CentOS Linux release 7.2.1511 (Core),
ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
Freeipa client: the same

AD domain name: sd-stc.cz
IPA domain: linuxdomain.cz

When digging in logs and googling, I realized that the problem on client
side could be:

[root@spcss-2t-www ~]# kinit -k
kinit: Cannot determine realm for host (principal host/spcss-2t-www@)

But this seems to work:
[root@spcss-2t-www ~]# kinit simecek.to...@sd-stc.cz
Password for simecek.to...@sd-stc.cz:
[root@spcss-2t-www ~]# klist
Default principal: simecek.to...@sd-stc.cz

Valid starting   Expires  Service principal
07/04/2016 09:36:26  07/04/2016 19:36:26  krbtgt/sd-stc...@sd-stc.cz
renew until 07/05/2016 09:36:23

My /etc/sssd/sssd.conf:
[domain/linuxdomain.cz]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linuxdomain.cz
krb5_realm = LINUXDOMAIN.CZ
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = spcss-2t-www.linuxdomain.cz
chpass_provider = ipa
ipa_server = svlxxipap.linuxdomain.cz
ldap_tls_cacert = /etc/ipa/ca.crt
override_shell = /bin/bash
sudo_provider = ldap
ldap_uri = ldap://svlxxipap.linuxdomain.cz
ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/spcss-2t-www.linuxdomain...@linuxdomain.cz
ldap_sasl_realm = LINUXDOMAIN.CZ
krb5_server = svlxxipap.linuxdomain.cz

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = linuxdomain.cz
[nss]
homedir_substring = /home


My /etc/krb5.conf:
#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = LINUXDOMAIN.CZ
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}


[realms]
  LINUXDOMAIN.CZ = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
  }


[domain_realm]
  .linuxdomain.cz = LINUXDOMAIN.CZ
  linuxdomain.cz = LINUXDOMAIN.CZ

Would you please suggest which way to investigate?

Thanks

Tomas Simecek
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project